I just found a 44 line crontab in the bastion project that should've been running on tools but has been running on bastion forever, and I found this only very, very accidentally.
We should have a custom shell for bastion projects that has a custom banner, allows proxycommands (and for now) ssh agent forwarding based ssh, and nothing else.
Change 223828 had a related patch set uploaded (by Yuvipanda):
ldap: Allow projects to override user's loginshells
Should allow people to:
We could also utilize /etc/cron.allow//etc/cron.deny. However, I'm not sure if they affect Puppet, i. e. if an empty /etc/cron.allow prevents Puppet from setting up or running intended jobs.
Yeah but I was hoping to be purely whitelist based, similar to old sillyshell - a small python script that laughs at you if you try to do anything else outside of ssh to somewhere else.
A custom, restricted shell would certainly be preferable as it prevents (most) other abuses as well.
Are there no pre-existing minimal shells that we can adopt rather than writing our own?
What I have set up once upon a time, is the ssh connection to the bastion landed in a chroot which had the very minimal commands available. Namely at the time Kerberos to grab an AAA ticket, then the Kerberos versions of rlogin/telnet/rsh. So there was nothing much we could do on the bastion.
On our svn versions, folk would ssh to svn.wikimedia.org with the shell being set to sillyshell (python source). It would only let you execute svnserve.
So I guess we could do something similar and only allow ssh proxy command.
I think a chroot is more than what we need, since we don't want to restrict users to just their homedirs - we want to restrict them only by the commands they can run. the sillyshell approach might be the correct / easier one.
Something like this is an option:
http://cybermashup.com/2013/05/14/restrict-ssh-logins-to-a-single-command/
Would it also be possible to just configure systems so that users on bastion are members of no groups and hence can't write anything to anywhere, ever?
sillyshell is problematic for Windows users in the same way ProxyCommand is (although it's slightly less problematic). This would require windows users to find the right tab (Connection » SSH, but I tried five other tabs first), enter 'ssh <hostname>' there, and hope that goes through. Logging in and then running ssh is much easier.
sillyshell on itself doesn't provide what we need yet, as we need to parse the command that is passed.
Oh yeah - not silly shell itself but something similar. I'll start experimenting with a different project and see how it goes :) I do want to make sure agent forwarding keeps working (for windows users) works fine...
Change 223828 merged by Yuvipanda:
ldap: Allow projects to override user's loginshells
Change 284530 had a related patch set uploaded (by Rush):
lshell scaffolding for restricting Labs users
Per @chasemp's recommendation I am poking at this due to the use of a pwb.py replace.py -regex LONG_REGEX in the bastion project today, it ate up the CPU for a while and we only realized because the bot did not run as expected.
Change 751130 had a related patch set uploaded (by David Caro; author: David Caro):
[operations/puppet@production] lshell: remove unused module
Change 751130 merged by David Caro:
[operations/puppet@production] lshell: remove unused module